Do not save encrypted pages to disk

I'm interested in details about option "Do not save encrypted pages to disk",
and disk cache in general.
IE supports several protocols for data gathering: http, https, ftp,
gopher,...
When retreived via https, data is decrypted in order to be displayed in
browser.
In that case, automatic cacheing mechanism saves ENCRYPTED pages into
special folder "Temporary Internet files", right? Is there a way to observe
encrypted pages in that cache, or only those that were not encrypted, or were
decrypted (if these are saved that way there at all)?
If pages are cached for performance reasons, wouldn't it be reasonable to
save them decrypted, in order to avoid decryption overhead? Security issue
for saving confidential data to disk exists in any case, unauthorized user
may use brute force method to decrypt files if he has unrestricted access to
them and is willing to do that.
And that's what observed option is used for, to avoid saving confidential
data to disk, if retreived over secure link? Is there the same policy for all
file types (extensions) regarding that matter?
What was the exact MS's intention, which IE behaviour to control with that
option?
It namely affects conscious, intended saving initiated by user too (using
option "Save Target As...", "Save As..."), it affects viewing the page
source, export of data etc. In version 7 it is regular behaviour that this
option has to be turned off to enable this actions, which by the way are used
to save or access DECRYPTED data, definetly. In lower versions, at least in
most of their updates, it is even not possible to save non html content (for
example xml) retreived via https, regardless of this option setting, because
of an obvious bug.
In MS knowledge base there is a workaround for this issue:http://support.microsoft.com/kb/323308/en-us
which suggests that when there is "no cache" directive in http response
header, received over SSL, BypassSSLNoCacheCheck registry entry should be
added. Otherwise, "download is not possible". On the other hand, if the
original intention was to control automatic cache, if IE user is not aware of
that it is necessary to delete cache when downloading confidential data, will
he be aware of, or able, to check/set this option in IE on a public work
station, to protect himself from undesired file saving?
Are there any issues in version 7 with a disk cache? Sometimes I can't
delete temporary
files, sometimes when I delete them, nothing is saved anymore. I never
experienced such things
in version 6.

No, all files in this folder are unencrypted and in their native format.
The SSL/secure part is ONLY on the TCP connection to stop it being
viewed in the highly unlikely event of it being intercepted.
(It is still possible to decrypt in some situations and if you get the
entire conversation)

Setting that option means it doesn't cache them at all (Hence the view
source being disabled).

Advertisements

Thanks Dean for your answer. Any comments on Microsoft intentions with this
option? If I use "Save Target As..." it means I'm aware of saving to a local
disk, why would this setting prevent me from performing this deliberate
action, anyway?
If this is supposed to prevent automatic cacheing when downloading via SSL,
it shouldn't be possible to turn it off, for previously described reasons. Or
not? Would someone please shed some light on this?

"Dean Earley" wrote:
> hdjur wrote:
> > I'm interested in details about option "Do not save encrypted pages
> > to disk", and disk cache in general. IE supports several protocols
> > for data gathering: http, https, ftp, gopher,... When retreived via
> > https, data is decrypted in order to be displayed in browser. In that
> > case, automatic cacheing mechanism saves ENCRYPTED pages into special
> > folder "Temporary Internet files", right?
>
> No, all files in this folder are unencrypted and in their native format.
> The SSL/secure part is ONLY on the TCP connection to stop it being
> viewed in the highly unlikely event of it being intercepted.
> (It is still possible to decrypt in some situations and if you get the
> entire conversation)
>
> Setting that option means it doesn't cache them at all (Hence the view
> source being disabled).
>
> --
> Dean Earley ()
> i-Catcher Development Team
>
> iCode Systems
>

The ONLY option it disables for me is "View source".
Save target as, Save picture as, etc are all enabled and working fine.

This option ONLY effects whether it saves it in the cache.

hdjur wrote:
> Thanks Dean for your answer. Any comments on Microsoft intentions with this
> option? If I use "Save Target As..." it means I'm aware of saving to a local
> disk, why would this setting prevent me from performing this deliberate
> action, anyway?
> If this is supposed to prevent automatic cacheing when downloading via SSL,
> it shouldn't be possible to turn it off, for previously described reasons. Or
> not? Would someone please shed some light on this?
>
> "Dean Earley" wrote:
>
>> hdjur wrote:
>>> I'm interested in details about option "Do not save encrypted pages
>>> to disk", and disk cache in general. IE supports several protocols
>>> for data gathering: http, https, ftp, gopher,... When retreived via
>>> https, data is decrypted in order to be displayed in browser. In that
>>> case, automatic cacheing mechanism saves ENCRYPTED pages into special
>>> folder "Temporary Internet files", right?
>> No, all files in this folder are unencrypted and in their native format.
>> The SSL/secure part is ONLY on the TCP connection to stop it being
>> viewed in the highly unlikely event of it being intercepted.
>> (It is still possible to decrypt in some situations and if you get the
>> entire conversation)
>>
>> Setting that option means it doesn't cache them at all (Hence the view
>> source being disabled).

Did you try to save non html content (for example xml) retreived via https?
Because, as you can see, I didn't say saving html is not possible.

"Dean Earley" wrote:
> The ONLY option it disables for me is "View source".
> Save target as, Save picture as, etc are all enabled and working fine.
>
> This option ONLY effects whether it saves it in the cache.
>
> hdjur wrote:
> > Thanks Dean for your answer. Any comments on Microsoft intentions with this
> > option? If I use "Save Target As..." it means I'm aware of saving to a local
> > disk, why would this setting prevent me from performing this deliberate
> > action, anyway?
> > If this is supposed to prevent automatic cacheing when downloading via SSL,
> > it shouldn't be possible to turn it off, for previously described reasons. Or
> > not? Would someone please shed some light on this?
> >
> > "Dean Earley" wrote:
> >
> >> hdjur wrote:
> >>> I'm interested in details about option "Do not save encrypted pages
> >>> to disk", and disk cache in general. IE supports several protocols
> >>> for data gathering: http, https, ftp, gopher,... When retreived via
> >>> https, data is decrypted in order to be displayed in browser. In that
> >>> case, automatic cacheing mechanism saves ENCRYPTED pages into special
> >>> folder "Temporary Internet files", right?
> >> No, all files in this folder are unencrypted and in their native format.
> >> The SSL/secure part is ONLY on the TCP connection to stop it being
> >> viewed in the highly unlikely event of it being intercepted.
> >> (It is still possible to decrypt in some situations and if you get the
> >> entire conversation)
> >>
> >> Setting that option means it doesn't cache them at all (Hence the view
> >> source being disabled).
>

Share This Page

Welcome to Windows Vista Tips

Welcome to Windows Vista Tips, your resource for help for any tech support and computing help with Windows Vista..

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about Vista or chat with the community and help others.
Sign up now!